Unencrypted MoviePass Database Exposes Sensitive Info From Thousands of Customers

by

Struggling movie ticket subscription service MoviePass stored thousands of customer card numbers and personal credit cards in a database that was not protected with a password, reports TechCrunch.

The exposed database, which contained 161 million records, was discovered by Mossab Hussain, a Dubai-based security researcher. Many of the records in the database were computer-generated logging messages, but some also featured sensitive user information like MoviePass customer card numbers.


MoviePass customer cards work like debit cards and are issued by Mastercard, allowing customers who sign up for MoviePass to use them to pay for the full cost of movie tickets.

In a sample of 1,000 records, TechCrunch found that a little over half contained unique MoviePass debit card numbers, expiration dates, and card balance. More than 58,000 records containing card data were found.

The unprotected MoviePass database also featured some customers' personal credit card numbers along with expiration dates, names, addresses, and other billing information. TechCrunch says that records contained enough information to allow someone to make fraudulent card purchases, though some records featured card numbers that were masked with the exception of the last four digits.

Email addresses and passwords related to failed login attempts were also found in the database.

We found hundreds of records containing the user's email address and presumably incorrectly typed password -- which was logged -- in the database. We verified this by attempting log into the app with an email address and password that didn't exist but only we knew. Our dummy email address and password appeared in the database almost immediately.

While Hussain contacted MoviePass CEO Mitch Lowe over the weekend, there was no response. MoviePass left the database online until Tuesday when TechCrunch contacted the company.

The database may have been accessible for months, but MoviePass did not respond to TechCrunch's questions about how long the server was exposed and whether it plans to disclose the incident to customers.

Hussain told TechCrunch that he questions why internal technical teams would be allowed to see critical data in plaintext, "let alone the fact that the dataset was exposed for public access by anyone."

Since its early 2018 launch, MoviePass has failed catastrophically. It ran out of money temporarily in mid-2018 because it was losing up to $40 million per month, and then began cutting back on the quality of service, limiting movie access, raising prices, and even temporarily shutting down.

Earlier this month, there were reports suggesting that MoviePass even went as far as changing the passwords of its most active users in an attempt to save money. Over the course of the last year, MoviePass has allegedly gone from three million subscribers to approximately 225,000.

Top Rated Comments

(View all)
Avatar
10 months ago
I jumped ship a LONG time ago when they started limiting and cutting. The funny thing, I haven't been back to the theaters once since. Greedy theaters that didn't want to partner lost all my business. Instead of being reasonable, they lost a lot more.
Score: 8 Votes (Like | Disagree)
Avatar
10 months ago
Yep, this company is a total joke. I dumped them 2 months after getting it.
Score: 7 Votes (Like | Disagree)
Avatar
10 months ago

Greedy theaters that didn't want to partner lost all my business. Instead of being reasonable, they lost a lot more.

Greedy theaters? Reasonable? MoviePass was selling you deeply discounted tickets that they were buying at full price, and your takeaway is that the tickets were overvalued? If I go bankrupt selling you dollar bills for 25 cents each, do you think that dollar bills are too expensive at normal prices, or that I had a terrible business plan.
Score: 4 Votes (Like | Disagree)
Avatar
10 months ago
Thank god I never took the bait and signed up for this cluster service.
Score: 4 Votes (Like | Disagree)
Avatar
10 months ago
I honestly thought this company was dead already
Score: 2 Votes (Like | Disagree)
Avatar
10 months ago
Why does this company still exist? Shouldn't it be six feet under by now? How can a company be such a complete cluster-****, lose millions and millions of dollars, and still be around to lose control of customer data?

It's frustrating to see this happen while so many good people are scraping by.
Score: 1 Votes (Like | Disagree)

Top Stories

Apple Doubles the Price of RAM Upgrade on Entry-Level 13-Inch MacBook Pro

Saturday May 30, 2020 4:00 pm PDT by
Apple today doubled the price for upgrading the RAM on the entry-level 13-inch MacBook Pro, with customers in the United States now being charged $200 to move from 8GB to 16GB compared to the previous $100 upgrade price. Similar increases are seen in other countries, such as moving from €125 to €250 in Germany and from £100 to £200 in the United Kingdom. Current pricing on RAM upgrade for ...

Tim Cook Addresses George Floyd's Death and Ensuing Protests and Riots as Apple Temporarily Closes Some U.S. Stores

Sunday May 31, 2020 8:04 pm PDT by
Amid unrest in numerous U.S. cities following last week's killing of George Floyd by police in Minneapolis, Apple CEO Tim Cook has shared an internal memo with employees (via Bloomberg) addressing the pain that many are feeling and urging others to commit "to creating a better, more just world for everyone." Cook also announced that Apple is making donations to several groups challenging...

Apple's First MacBook Pro With a Retina Display Will Become 'Obsolete' in 30 Days

Monday June 1, 2020 7:50 am PDT by
If you are still hanging on to a Mid 2012 model of the 15-inch MacBook Pro with a Retina display, and require a new battery or other repairs, be sure to book an appointment with a service provider as soon as possible. In an internal memo today, obtained by MacRumors, Apple has indicated that this particular MacBook Pro model will be marked as "obsolete" worldwide on June 30, 2020, just over...

Top Stories: macOS 10.15.5, New Powerbeats Pro Colors, iPhone 12 and 13 Rumors, and More

Saturday May 30, 2020 6:00 am PDT by
This week saw an interesting mix of news and rumors on the Apple front, led by the release of macOS 10.15.5, which brings a new battery health feature to newer Mac notebooks, while we also saw the official announcement of new colors for the Powerbeats Pro earphones. On the rumor front, we heard a few tidbits about not just this year's iPhone 12 but also next year's iPhone, while we saw...

8 Mac Tips and Tricks You Might Not Know

Friday May 29, 2020 12:36 pm PDT by
There are tons of hidden features and shortcuts for Macs that Apple has built into macOS over the years, ranging from shortcuts to keyboard commands to other little hacks to make Mac usage just a bit simpler. In our latest YouTube video, we highlighted several of these tips and tricks, and some of them might just be new to you. Subscribe to the MacRumors YouTube channel for more videos. Tr...

6.1-inch 'iPhone 12' Production to Begin in July Ahead of Other 2020 Models

Monday June 1, 2020 2:36 am PDT by
Volume production of Apple's forthcoming 6.1-inch "iPhone 12" models will start in July-August ahead of the rest of the company's flagship iPhone lineup this year, according to a new report by DigiTimes. Apple is widely rumored to be launching four new ‌iPhone‌ models in the usual September or October timeframe, although supply constraints and delays in production ramp-up could cause a...

Apple Releases iOS and iPadOS 13.5.1 With Fixes for Recent 'unc0ver' Jailbreak Vulnerability

Monday June 1, 2020 9:58 am PDT by
Apple today released iOS and iPadOS 13.5.1, minor updates that come a little over a week after the release of iOS and iPadOS 13.5, major updates that brought the Exposure Notification API, FaceTime changes, mask-related unlocking updates and more. The iOS and iPadOS 13.5.1 updates are available on all eligible devices over-the-air in the Settings app. To access the updates, go to Settings >...

Apple Introducing New Internal USB-C Diagnostic Tool

Sunday May 31, 2020 7:26 pm PDT by
Apple is introducing a new internal USB-C Diagnostic Tool as a successor to its existing Serial Number Reader, which can be used to both collect a device's serial number directly from its logic board and test power on a device itself. Image via Giulio Zompetti With only a Lightning version previously available, images have surfaced of a new USB-C Diagnostic Tool (UDT) that appears to be known ...

Powerbeats Pro Debut in Four New Colors: Spring Yellow, Cloud Pink, Lava Red, and Glacier Blue

Friday May 29, 2020 10:00 am PDT by
Following a couple of leaks in recent weeks, Beats today is officially announcing four new colors for its Powerbeats Pro wireless earphones: Spring Yellow, Cloud Pink, Lava Red, and Glacier Blue. The new earphones will go on sale June 9 and sell for the same $249.95 price as the existing color options. Aside from the colors, the new Powerbeats Pro models are otherwise identical to the...

Apple Releases macOS Catalina 10.15.5 Supplemental Update With Security Fix

Monday June 1, 2020 10:56 am PDT by
Apple today released a supplemental update for macOS Catalina 10.15.5, the fifth update to the macOS Catalina operating system that was released in October 2019. The supplemental update comes a week after the release of the macOS Catalina 10.15.5 update. ‌macOS Catalina‌ 10.15.5 is a free update that can be downloaded from the Mac App Store using the Update feature in the System...